From owner-freebsd-questions@FreeBSD.ORG Mon Oct 20 21:16:47 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BF2E1065671 for ; Mon, 20 Oct 2008 21:16:47 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: from mx1.identry.com (on.identry.com [66.111.0.194]) by mx1.freebsd.org (Postfix) with ESMTP id 131F58FC2A for ; Mon, 20 Oct 2008 21:16:46 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: (qmail 8544 invoked by uid 89); 20 Oct 2008 21:16:46 -0000 Received: from unknown (HELO ?192.168.1.110?) (jalmberg@75.127.142.66) by mx1.identry.com with ESMTPA; 20 Oct 2008 21:16:46 -0000 Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <1479DAD4-A72B-415E-B8B0-FDEA810161ED@identry.com> References: <1479DAD4-A72B-415E-B8B0-FDEA810161ED@identry.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <6E564226-98BE-4464-BA6C-A95848F02ABC@identry.com> Content-Transfer-Encoding: 7bit From: John Almberg Date: Mon, 20 Oct 2008 17:16:45 -0400 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.753.1) Subject: Re: mysql connection through ssl tunnel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 21:16:47 -0000 On Oct 20, 2008, at 4:50 PM, John Almberg wrote: >>> >>> After a few hours of work today, I have all this working >>> perfectly. I'm >>> using autossh to automatically create and monitor the ssh tunnel, >>> and I >>> can make mysql connections through the tunnel with no problems. >>> Very cool. >>> >>> And that's through PF firewalls on both machines, which added >>> flavor to >>> the exercise ;-) >>> >>> One question... and maybe this is a general, philosophical >>> question... >>> >>> If autossh watches over my ssh tunnel, who or what watches over >>> autossh? >>> >>> As a related question, how can I make autossh start automatically >>> after >>> a reboot? At the moment, I start autossh from the command line, >>> like so: >>> >>>> autossh -M 20000 -fNg -L 33006:127.0.0.1:3306 admin@dbs.example.com >>> >>> There doesn't seem to be an rc.d file for autossh... Do I have to >>> figure >>> out how to make one? >>> >> >> You can do this all by not using autossh at all: let init watch and >> re-establish your ssh tunnel: >> >> This is in my /etc/ttys (wrapped for readability): >> >> ttyv8 "/usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 >> remote.domain.tld >/dev/null 2>&1" unknown on >> >> I let my central machine control the tunnel, not the sending one. > > H'mmm... This is new territory for me. I've just read some of the > man pages and a few pages in Absolute BSD, and I guess I sort of > understand what this does. I'm trying to grasp the connection > between virtual terminals and this SSH tunnel... > > I guess my main question is, if I start the tunnel with this > method, will I be able to access mysql in 'the usual way'? The > following works with my autossh tunnel: > > mysql -h127.0.0.1 -P33006 -uuser -ppassword db > > So, if using the /etc/ttys file is equivalent, and I make the > connection on the database server, rather than the client server, > then I guess my ttys file should look like this (my ttyv8 is > already used... I am guessing I should use the next one down): > > ttyv7 "/usr/bin/ssh -l admin -nNTx -R 3306:127.0.0.1:33006 > example.com >/dev/null 2>&1" unknown on > > Where 'admin' is the user I am logging into on the remote machine, > and 'example.com' is the hostname of the remote machine. I guess > equivalent to the following? > > ttyv7 "/usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 > admin@example.com >/dev/null 2>&1" unknown on > > Port 33006 is not a typo. There are databases running on both > machines, so I need to use a different port for the tunnel. > > And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. > > This looks dangerous... > > -- John I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh admin@example.com -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? -- John